| Groups | Blog | Home |
asp.net webservices : X509Certificate not passed to webservice.
Hi all,
I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the client app and web service are running on my local development machine. I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509 certificate, as follows: ================================================================== Private Function CreateWebRequest() As HttpWebRequest Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL & "/" & m_Operation) SetProxy(objRequest.Proxy) objRequest.Method = "POST" objRequest.ContentType = "application/x-www-form-urlencoded" objRequest.Timeout = 300000 Dim certStore As X509CertificateStore certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString) certStore.OpenRead() Dim cert As X509Certificates.X509Certificate If certStore.FindCertificateBySubjectString("XYZ").Count > 0 Then cert = certStore.FindCertificateBySubjectString("XYZ")(0) End If objRequest.ClientCertificates.Add(cert) Return objRequest End Function ================================================================== This is using a test cert generated with makecert, and imported into the local machine root store. When in debug mode, I can see the cert is retrieved and added to the request's clientcertificates collection fine. However when inspecting the Context.Request.ClientCertificate property in the WebService code, there is only an HTTPClientCerticate object there with its properties unpopulated . ( this seems to be present irrespective of whether or not the certificate is added client side) I have attempted a similar exercise with the following test code which I found here : http://www.15seconds.com/issue/020312.htm to test a straightforward web service scenario, with the same result. (The cert does not seem to be passed to the service...) ================================================================== private void TestService_Click(object sender, System.EventArgs e) { CSWebservices.CCWebservice objws ; objws = new CSWebservices.CCWebservice() ; X509Certificate objCert ; objCert = X509Certificate.CreateFromCertFile("xyz.cer") ; objws.ClientCertificates.Add(objCert) ; CSWebservices.ClientCertificateDetails objCertDetails ; objCertDetails = objws.GetCertificateDetails() ; } ================================================================== Server Side: [WebMethod] public ClientCertificateDetails GetCertificateDetails() { HttpClientCertificate objCertificate = HttpContext.Current.Request.ClientCertificate ; ClientCertificateDetails objCertificateDetails = new ClientCertificateDetails() ; objCertificateDetails.Cookie = objCertificate.Cookie ; objCertificateDetails.IsPresent = objCertificate.IsPresent ; objCertificateDetails.Issuer = objCertificate.Issuer ; objCertificateDetails.IsValid = objCertificate.IsValid ; objCertificateDetails.KeySize = objCertificate.KeySize ; objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize ; objCertificateDetails.SerialNumber = objCertificate.SerialNumber ; objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ; objCertificateDetails.ServerSubject = objCertificate.ServerSubject ; objCertificateDetails.ValidFrom = objCertificate.ValidFrom ; objCertificateDetails.ValidUntil = objCertificate.ValidUntil ; return objCertificateDetails ; } ====================================================================== If I configure IIS to require Client certificates: I experience HTTP 403.7 ( cert required ) errors. Any ideas / pointers would be appreciated. Thanks,
Did you install SSL Cert on your machine running IIS?
Chew [quoted text, click to view] > Hi all, > > I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the > client app and web service are running on my local development > machine. > > I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509 > certificate, as follows: > > ================================================================== > Private Function CreateWebRequest() As HttpWebRequest > > Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL & > "/" & m_Operation) > > > SetProxy(objRequest.Proxy) > > objRequest.Method = "POST" > objRequest.ContentType = "application/x-www-form-urlencoded" > objRequest.Timeout = 300000 > > Dim certStore As X509CertificateStore > certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString) > certStore.OpenRead() > > Dim cert As X509Certificates.X509Certificate > If certStore.FindCertificateBySubjectString("XYZ").Count > 0 > Then > cert = certStore.FindCertificateBySubjectString("XYZ")(0) > End If > > objRequest.ClientCertificates.Add(cert) > > Return objRequest > > > End Function > > ================================================================== > > This is using a test cert generated with makecert, and imported into > the local machine root store. When in debug mode, I can see the cert > is retrieved and added to the request's clientcertificates collection > fine. > > However when inspecting the Context.Request.ClientCertificate property > in the WebService code, there is only an HTTPClientCerticate object > there with its properties unpopulated . ( this seems to be present > irrespective of whether or not the certificate is added client side) > > I have attempted a similar exercise with the following test code which > I found here : http://www.15seconds.com/issue/020312.htm > to test a straightforward web service scenario, with the same result. > (The cert does not seem to be passed to the service...) > > ================================================================== > > private void TestService_Click(object sender, System.EventArgs e) > { > CSWebservices.CCWebservice objws ; > objws = new CSWebservices.CCWebservice() ; > > X509Certificate objCert ; > objCert = X509Certificate.CreateFromCertFile("xyz.cer") ; > > > objws.ClientCertificates.Add(objCert) ; > > CSWebservices.ClientCertificateDetails objCertDetails ; > objCertDetails = objws.GetCertificateDetails() ; > > } > > ================================================================== > > Server Side: > > [WebMethod] > public ClientCertificateDetails GetCertificateDetails() > { > HttpClientCertificate objCertificate = > HttpContext.Current.Request.ClientCertificate ; > ClientCertificateDetails objCertificateDetails = new > ClientCertificateDetails() ; > objCertificateDetails.Cookie = objCertificate.Cookie ; > objCertificateDetails.IsPresent = objCertificate.IsPresent ; > objCertificateDetails.Issuer = objCertificate.Issuer ; > objCertificateDetails.IsValid = objCertificate.IsValid ; > objCertificateDetails.KeySize = objCertificate.KeySize ; > objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize > ; > objCertificateDetails.SerialNumber = objCertificate.SerialNumber ; > objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ; > objCertificateDetails.ServerSubject = objCertificate.ServerSubject > ; > objCertificateDetails.ValidFrom = objCertificate.ValidFrom ; > objCertificateDetails.ValidUntil = objCertificate.ValidUntil ; > > return objCertificateDetails ; > } > > ====================================================================== > > If I configure IIS to require Client certificates: I experience HTTP > 403.7 ( cert required ) errors. > > Any ideas / pointers would be appreciated. > > Thanks, > > Matthew
Did you install SSL Cert on your machine running IIS?
Chew [quoted text, click to view] > Hi all, > > I have the following scenario (XP / IIS 5, FX v1.1.4322) Both the > client app and web service are running on my local development > machine. > > I am using a straightforward HTTPWebRequest, and WSE 2 to add an X509 > certificate, as follows: > > ================================================================== > Private Function CreateWebRequest() As HttpWebRequest > > Dim objRequest As HttpWebRequest = WebRequest.Create(m_URL & > "/" & m_Operation) > > > SetProxy(objRequest.Proxy) > > objRequest.Method = "POST" > objRequest.ContentType = "application/x-www-form-urlencoded" > objRequest.Timeout = 300000 > > Dim certStore As X509CertificateStore > certStore = X509CertificateStore.LocalMachineStore(X509CertificateStore.RootStore.ToString) > certStore.OpenRead() > > Dim cert As X509Certificates.X509Certificate > If certStore.FindCertificateBySubjectString("XYZ").Count > 0 > Then > cert = certStore.FindCertificateBySubjectString("XYZ")(0) > End If > > objRequest.ClientCertificates.Add(cert) > > Return objRequest > > > End Function > > ================================================================== > > This is using a test cert generated with makecert, and imported into > the local machine root store. When in debug mode, I can see the cert > is retrieved and added to the request's clientcertificates collection > fine. > > However when inspecting the Context.Request.ClientCertificate property > in the WebService code, there is only an HTTPClientCerticate object > there with its properties unpopulated . ( this seems to be present > irrespective of whether or not the certificate is added client side) > > I have attempted a similar exercise with the following test code which > I found here : http://www.15seconds.com/issue/020312.htm > to test a straightforward web service scenario, with the same result. > (The cert does not seem to be passed to the service...) > > ================================================================== > > private void TestService_Click(object sender, System.EventArgs e) > { > CSWebservices.CCWebservice objws ; > objws = new CSWebservices.CCWebservice() ; > > X509Certificate objCert ; > objCert = X509Certificate.CreateFromCertFile("xyz.cer") ; > > > objws.ClientCertificates.Add(objCert) ; > > CSWebservices.ClientCertificateDetails objCertDetails ; > objCertDetails = objws.GetCertificateDetails() ; > > } > > ================================================================== > > Server Side: > > [WebMethod] > public ClientCertificateDetails GetCertificateDetails() > { > HttpClientCertificate objCertificate = > HttpContext.Current.Request.ClientCertificate ; > ClientCertificateDetails objCertificateDetails = new > ClientCertificateDetails() ; > objCertificateDetails.Cookie = objCertificate.Cookie ; > objCertificateDetails.IsPresent = objCertificate.IsPresent ; > objCertificateDetails.Issuer = objCertificate.Issuer ; > objCertificateDetails.IsValid = objCertificate.IsValid ; > objCertificateDetails.KeySize = objCertificate.KeySize ; > objCertificateDetails.SecretKeySize = objCertificate.SecretKeySize > ; > objCertificateDetails.SerialNumber = objCertificate.SerialNumber ; > objCertificateDetails.ServerIssuer = objCertificate.ServerIssuer ; > objCertificateDetails.ServerSubject = objCertificate.ServerSubject > ; > objCertificateDetails.ValidFrom = objCertificate.ValidFrom ; > objCertificateDetails.ValidUntil = objCertificate.ValidUntil ; > > return objCertificateDetails ; > } > > ====================================================================== > > If I configure IIS to require Client certificates: I experience HTTP > 403.7 ( cert required ) errors. > > Any ideas / pointers would be appreciated. > > Thanks, > > Matthew
Hi
Yes. I have a test certificate running on IIS and the web service is configured to require SSL. I am overriding cert warnings with the implementation of a custom CertificatePolicy, client side. My first thought was that, unless I set up the service to require client certificates, the certificate wouldn't be sent with the request. So I set up IIS to require client certificates. With that configuration, I got the 403.7 HTTP Error referred to in my first post. still a bit baffled on this one. I have also installed the root certificate for the test client certificate which I generated with makecert.exe (Root Agency), into the Local Machine Trusted Certification Authorities store. I also edited the certificate trust list on IIS to include the relevant client certificate. All this ... and the same result. either the client certificate doesnt seem to be sent, or if the service requires a client certificate then a 403 error. I wonder if the issue is that IIS is looking in the local user store, as opposed to the local machine store, to determine whether it recognizes the root CA....? Guess I'll give that a go.
Don't see what you're looking for? Try a search.
|
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |